HPE says Aruba customer data compromised after data breach

HPE has confirmed that a “limited subset” of customer data was taken in a data breach involving its subsidiary Aruba Networks, a maker of networking equipment.

The enterprise technology giant said in a statement that an unauthorized person used a private key to gain access to customer data stored in its Aruba Central cloud. HPE did not say how the hacker obtained the private key, but said the key allowed access to cloud servers in multiple regions where customer data was stored.

HPE bought Aruba Networks in 2015 for $3 billion in cash. Aruba provides networking gear, like wireless access points, and network security for companies. Through its dashboard, Aruba Central, companies can centrally monitor and manage their Wi-Fi networks.

It’s the Wi-Fi data collected in Aruba Central that HPE said was compromised. HPE said two data sets were exposed: one for network analytics containing information about devices accessing a customer’s Wi-Fi network, and a second data set containing location data about devices on the network. HPE did not give more details about the granularity of the exposed location data, but noted that the data “could allow the general vicinity of a user’s location to be determined.”

Specifically, the data included details about a device, such as a device’s MAC and IP address, device hostname and operating system and, in some cases, the username of the user accessing a Wi-Fi network. HPE said usernames are chosen by customers but could include a user’s name or an email address.

Worse, although the data was both scrambled and encrypted, the company said the private key had permission to use the decryption key; it wasn’t clear if the data was ultimately decrypted. HPE said it was likely only a “very small amount, if any” data was exfiltrated. The company added that it wasn’t clear which specific customers or what files were taken because the company does not keep logs of individual file access.

According to a statement, the hacker first used the key on October 9, but HPE did not detect the intrusion until November 2. HPE automatically purges data from its cloud servers every 30 days, so the amount of compromised data was limited to records dating back to September 10.

HPE said it was notifying customers of the incident.